Hi,
I have a fc3 linux (kernel 2.6.10-1.770_FC3) with selinux enforced, targeted policy 1.17.30-2.96. I try to use squirrelmail's plugin change_passwd, but got denied. The system log shows:
Apr 14 09:42:59 pippo kernel: audit(1113489779.011:0): avc: denied { search } for pid=13211 exe=/bin/bash name=src dev=hda6 ino=425174 scontext=root:system_r:httpd_sys_script_t tcontext=system_u:object_r:src_t tclass=dir Apr 14 09:42:59 pippo kernel: audit(1113489779.012:0): avc: denied { setuid } for pid=13211 exe=/usr/bin/chpasswd capability=7 scontext=root:system_r:httpd_sys_script_t tcontext=root:system_r:httpd_sys_script_t tclass=capability
I can use that plugin's command in ssh console, but just not from the web. Should I change the targeted policy to make it working? If yes, how to modify the policy?
Thanks a lot!
Hongwei Li
Hongwei Li wrote:
Hi,
I have a fc3 linux (kernel 2.6.10-1.770_FC3) with selinux enforced, targeted policy 1.17.30-2.96. I try to use squirrelmail's plugin change_passwd, but got denied. The system log shows:
Apr 14 09:42:59 pippo kernel: audit(1113489779.011:0): avc: denied { search } for pid=13211 exe=/bin/bash name=src dev=hda6 ino=425174 scontext=root:system_r:httpd_sys_script_t tcontext=system_u:object_r:src_t tclass=dir Apr 14 09:42:59 pippo kernel: audit(1113489779.012:0): avc: denied { setuid } for pid=13211 exe=/usr/bin/chpasswd capability=7 scontext=root:system_r:httpd_sys_script_t tcontext=root:system_r:httpd_sys_script_t tclass=capability
I can use that plugin's command in ssh console, but just not from the web. Should I change the targeted policy to make it working? If yes, how to modify the policy?
Thanks a lot!
Hongwei Li
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com http://www.redhat.com/mailman/listinfo/fedora-selinux-list
The only way to do this currently is to install selinux-policy-targeted-sources.
Then you can edit apache rules to allow this priv. The problem with this is priv is that it will allow Any cgi script to execute setuid applications. The best solution would be to write policy for change_passwd and then have a domain transfer to this application.
Hongwei Li wrote:
Hi,
I have a fc3 linux (kernel 2.6.10-1.770_FC3) with selinux enforced, targeted policy 1.17.30-2.96. I try to use squirrelmail's plugin change_passwd, but got denied. The system log shows:
Apr 14 09:42:59 pippo kernel: audit(1113489779.011:0): avc: denied { search } for pid=13211 exe=/bin/bash name=src dev=hda6 ino=425174 scontext=root:system_r:httpd_sys_script_t tcontext=system_u:object_r:src_t tclass=dir Apr 14 09:42:59 pippo kernel: audit(1113489779.012:0): avc: denied { setuid } for pid=13211 exe=/usr/bin/chpasswd capability=7 scontext=root:system_r:httpd_sys_script_t tcontext=root:system_r:httpd_sys_script_t tclass=capability
I can use that plugin's command in ssh console, but just not from the web. Should I change the targeted policy to make it working? If yes, how to modify the policy?
Thanks a lot!
Hongwei Li
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com http://www.redhat.com/mailman/listinfo/fedora-selinux-list
The only way to do this currently is to install selinux-policy-targeted-sources.
Then you can edit apache rules to allow this priv. The problem with this is priv is that it will allow Any cgi script to execute setuid applications. The best solution would be to write policy for change_passwd and then have a domain transfer to this application.
--
I am new to selinux, especially for policy editing/writing. Could you please tell me how to do it in each way (I have installed the sources):
1. how to edit apache rules to allow this priv?
2. how to write a policy for change_passwd and then have a domain transfer to it?
I appreciate your help!
Hongwei
Hongwei Li wrote:
Hongwei Li wrote:
Hi,
I have a fc3 linux (kernel 2.6.10-1.770_FC3) with selinux enforced, targeted policy 1.17.30-2.96. I try to use squirrelmail's plugin change_passwd, but got denied. The system log shows:
Apr 14 09:42:59 pippo kernel: audit(1113489779.011:0): avc: denied { search } for pid=13211 exe=/bin/bash name=src dev=hda6 ino=425174 scontext=root:system_r:httpd_sys_script_t tcontext=system_u:object_r:src_t tclass=dir Apr 14 09:42:59 pippo kernel: audit(1113489779.012:0): avc: denied { setuid } for pid=13211 exe=/usr/bin/chpasswd capability=7 scontext=root:system_r:httpd_sys_script_t tcontext=root:system_r:httpd_sys_script_t tclass=capability
I can use that plugin's command in ssh console, but just not from the web. Should I change the targeted policy to make it working? If yes, how to modify the policy?
Thanks a lot!
Hongwei Li
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com http://www.redhat.com/mailman/listinfo/fedora-selinux-list
The only way to do this currently is to install selinux-policy-targeted-sources.
Then you can edit apache rules to allow this priv. The problem with this is priv is that it will allow Any cgi script to execute setuid applications. The best solution would be to write policy for change_passwd and then have a domain transfer to this application.
--
I am new to selinux, especially for policy editing/writing. Could you please tell me how to do it in each way (I have installed the sources):
- how to edit apache rules to allow this priv?
Simple fix is to edit /etc/selinux/targeted/src/policy/domains/program/apache.te Add allow httpd_sys_script_t self:capability setuid; allow httpd_sys_script_t src_t:dir search;
- how to write a policy for change_passwd and then have a domain transfer
to it?
A better solution would be to create a new policy file /etc/selinux/targeted/src/policy/domains/program/chpasswd.te and a new policy file context file /etc/selinux/targeted/src/policy/file_context/program/chpasswd.fc
You might want to look at the passwd.te file from strict policy as an example.
Another option might be to just relabel this policy as httpd_unconfined_script_t since allowing sys_script to run chpasswd is pretty dangerous. And can circumvent most SELinux controls.
I appreciate your help!
Hongwei
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com http://www.redhat.com/mailman/listinfo/fedora-selinux-list
Hongwei Li wrote:
Hongwei Li wrote:
Hi,
I have a fc3 linux (kernel 2.6.10-1.770_FC3) with selinux enforced, targeted policy 1.17.30-2.96. I try to use squirrelmail's plugin change_passwd, but got denied. The system log shows:
Apr 14 09:42:59 pippo kernel: audit(1113489779.011:0): avc: denied { search } for pid=13211 exe=/bin/bash name=src dev=hda6 ino=425174 scontext=root:system_r:httpd_sys_script_t tcontext=system_u:object_r:src_t tclass=dir Apr 14 09:42:59 pippo kernel: audit(1113489779.012:0): avc: denied { setuid } for pid=13211 exe=/usr/bin/chpasswd capability=7 scontext=root:system_r:httpd_sys_script_t tcontext=root:system_r:httpd_sys_script_t tclass=capability
I can use that plugin's command in ssh console, but just not from the web. Should I change the targeted policy to make it working? If yes, how to modify the policy?
Thanks a lot!
Hongwei Li
...
A better solution would be to create a new policy file /etc/selinux/targeted/src/policy/domains/program/chpasswd.te and a new policy file context file /etc/selinux/targeted/src/policy/file_context/program/chpasswd.fc
You might want to look at the passwd.te file from strict policy as an example.
After playing around, I created chpasswd.te and chpasswd.fc, and it is working now. In chpasswd.te, I have:
allow httpd_sys_script_t self:capability setuid; allow httpd_sys_script_t shadow_t:file read; ...
Another option might be to just relabel this policy as httpd_unconfined_script_t since allowing sys_script to run chpasswd is pretty dangerous. And can circumvent most SELinux controls.
Now, my question is: since I use httpd_sys_script_t, is it still dangerous even I created my own domain? how to relable this policy as httpd_unconfined_script_t? I tried to use httpd_unconfined_script_t in chpasswd.te, but got error when I run make load: ERROR 'unknown type httpd_unconfined_script_t'
I geately appreciate your help!
Hongwei
selinux@lists.fedoraproject.org